Auditing Events From Custom Security Providers 12-9
12.2.2.1 Example: Obtaining and Using the Auditor Service to Write Role Audit Events
Example 12–2 illustrates how a custom Role Mapping providers runtime class called
MyRoleMapperProviderImpl.java would obtain the Auditor Service and use it to write out audit events.
Example 12–2 MyRoleMapperProviderImpl.java
package mypackage; import javax.security.auth.Subject;
import weblogic.management.security.ProviderMBean; import weblogic.security.SubjectUtils;
import weblogic.security.service.ContextHandler; import weblogic.security.spi.AuditorService;
import weblogic.security.spi.RoleMapper; import weblogic.security.spi.RoleProvider;
import weblogic.security.spi.Resource; import weblogic.security.spi.SecurityServices;
public final class MyRoleMapperProviderImpl implements RoleProvider, RoleMapper {
private AuditorService auditor; public void initializeProviderMBean mbean, SecurityServices
services {
auditor = services.getAuditorService; ...
} public Map getRolesSubject subject, Resource resource,
ContextHandler handler {
... if auditor = null
{ auditor.providerAuditWriteEvent
new MyRoleEventImplsubject, resource, context,
why logging this event, null;
no exception occurred }
... }
}
12.2.2.2 Auditing Management Operations from a Providers MBean
A SecurityServices object is passed into a security providers implementation of a Provider SSPI as part of the initialize method. For more information, see
Section 3.2.2, Understand the Purpose of the Provider SSPIs. The provider can use
this objects auditor to audit provider-specific security events, such as when a user is successfully logged in.
A security providers MBean implementation is not passed a SecurityServices object. However, the provider may need to audit its MBean operations, such as a user being
created.
Note: The MyRoleMapperProviderImpl.java class relies on the
MyAuditRoleEventImpl.java class from Example 12–1
.
12-10 Developing Security Providers for Oracle WebLogic Server
To work around this, the providers runtime implementation can cache the SecurityServices object and use a provider-specific mechanism to pass it to the
providers MBean implementation. This allows the provider to audit its MBean operations.
The Manageable Sample Authentication Provider available at https:codesamples.samplecode.oracle.comservletstracking?id=S
224 on the Oracle Technology Network Web site shows one way to accomplish this
task. The sample provider contains three major implementation classes:
■
ManageableSampleAuthenticationProviderImpl contains its security runtime implementation.
■
ManageableSampleAuthenticatorImpl contains its MBean implementation.
■
UserGroupDatabase is a helper class used by ManageableSampleAuthenticationProviderImpl and
ManageableSampleAuthenticatorImpl.
The code flow to cache and obtain the SecurityServices object is as follows:
1.
The ManageableSampleAuthenticationProviderImpls initialize method is passed a SecurityServices object.
2.
The initialize method creates a UserGroupDataBase object and passes it the SecurityServices object.
3.
The UserGroupDataBaseObject caches the SecurityServices object. The initialize method also puts the UserGroupDatabase object into a hash table
using the realms name as the lookup key.
4.
The ManageableSampleAuhenticatorImpls init method finds its realm name from its MBean.
5.
The init method uses the realm name to find the corresponding UserGroupDataBase object from the hash table.
6.
The init method then retrieves the SecurityServices object from the UserGroupDatabase object, and uses its auditor to audit management operations
such as createUser.
12.2.2.3 Example: Auditing Management Operations from a Providers MBean